Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NetLogon Errors 5774

1 view
Skip to first unread message

James White

unread,
Nov 19, 2003, 5:35:14 AM11/19/03
to
On booting a W2k3 server, "sometimes" there are many netlogon errors saying that this key  (LDAP etc etc ) and that 192.168.0.200 address could not be registered in the a DNS server. The odd thing is the DNS server can vary and seems to be either the primary DNS server as registered for the Domain, not the local inside firewall DNS server as defined on the LAN TCP/IP properties, sometimes it is the local netregistry server for the .au domain, when the domain in use is a non registered domain, This happened on an Upgraded W2k Server, that never reported this error before the upgrade, then (occasionally) on a new  install w2k3 server (but not if you pull it's connection to the internet before booting - I'll show it who is boss)
This appears to occur during startup (IPSEC bootmode issue???)
Restarting NETLOGON, after DNS is running (and IPSEC Bootmode is a faint memory) produces NO errors
 
Can they be Ignored?, where do they come from, why.
 
Jim White
 
 
 
 
Here is a sample
 
The dynamic registration of the DNS record 'dibbedydoo.com.au. 600 IN A 192.168.0.200' failed on the following DNS server: 
 
DNS server IP address: 203.18.56.41    <---- NS1.AUSREGISTRY.NET !!!
Returned Response Code (RCODE): 5
Returned Status Code: 9017 
 
For computers and users to locate this domain controller, this record must be registered in DNS. 
 
USER ACTION 
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about  DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by  this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain  controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows  Server Resource Kit CD.
  Or, you can manually add this record to DNS, but it is not recommended. 
 
ADDITIONAL DATA
Error Value: DNS bad key.
 
For more information, see Help and Support Center at 
 

Ace Fekay [MVP]

unread,
Nov 20, 2003, 10:29:58 PM11/20/03
to
In news:OxG2Tjor...@TK2MSFTNGP09.phx.gbl,
James White <nosp...@cshnospam.com.au.au.au> posted their thoughts, then I
offered mine

NO they cannot be ignored. This is an essential function or AD can become
non-functional. It's due to your DNS clent configuration.

The clue is in the error here:


> The dynamic registration of the DNS record 'dibbedydoo.com.au. 600 IN
> A 192.168.0.200' failed on the following DNS server:
>
> DNS server IP address: 203.18.56.41 <---- NS1.AUSREGISTRY.NET !!!
> Returned Response Code (RCODE): 5
> Returned Status Code: 9017

It means you are using your ISP's or some other DNS that is NOT hosting the
AD zone name, hence the massive error. Yes, this is a big error for AD.

5774 errors are caused 99.9% of the time due to using your ISP's DNS in your
IP properties, such as that 203.18.56.41. You MUST remove it, only use your
own internal DNS only. You must remove it from your client machines too.
Adjust your DHCP server to reflect this. For Internet resolution, you can
either use the Root hints (default) or configure a forwarder for efficient
Internet resolution. If the forwarding option is grayed out, delete the
Root zone (looks like a period), refresh and try it again.

This article will show you how to do both these steps:
http://support.microsoft.com/?id=300202

More info on AD and it's absolute DNS requirements:
http://support.microsoft.com/?id=291382

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


James White

unread,
Nov 22, 2003, 4:40:48 PM11/22/03
to
You are correct - of course. Thank you for your advice.

I had the STATIC DNS on the Smoothwall Firewall in the connections on the
Server
The Firewall DHCP was setting itself as Second DNS for DHCP clients
The connection Domain in the DHCP was set to an internal domain, hence
somehow ending up at the AU Name Registry, the Servers were correct so they
ended up at the Domain Registered NS.

This never happened in W2k, only W2k3

One Knowledge Base article suggested making netlogon a dependency of DNS
service, but I cannot identify it now. Do you have thoughts on that for the
PDC and Primary DNS Server. Where does it look when it boots otherwise if
Netlogon starts before DNS


Jim White

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNa...@hotmail.com> wrote in
message news:uTwnM$9rDHA...@TK2MSFTNGP11.phx.gbl...

0 new messages